Large organisations always have problem to manage to multiple AWS accounts and their configurations. Sometimes it become very tedious task for developers also to manage right resources on the right place.
Hmm, okay let me tell you one thing! What if i have a central place from where you can track all your multi-account configurations, manage them and control access of your all employees.
You heard it right! AWS does provide that central place and it's name it AWS control tower.
AWS Control Tower is a service offered by Amazon Web Services (AWS) that aids businesses in setting up and managing a safe, well-designed multi-account AWS environment.
It offers a consolidated dashboard and automation tools to simplify the management of your AWS accounts, making it simpler to maintain a safe and effective AWS environment.
Okay, so that was all about what is AWS control tower, now let's see how to setup it in your current AWS account.
Landing zone is that central place where all your AWS accounts will land in the form of OUs.
In simple language, a landing zone in AWS Control Tower is like a starting point or foundation for setting up and managing your AWS environment. It is a pre-configured and secure AWS environment that includes multiple AWS accounts organised in a structured manner.
There is not extra cost for using AWS control tower, you only pay for the services which are enabled by control tower.
Select the regions which you want to add it under the governance of your landing zone. I am choosing
us-east-1 as my home region. Click Next
AWS control tower will create a security OU(organisation unit) in which it will create two shared AWS accounts: log-archive and audit.
By creating a foundational OU, AWS Control Tower helps establish a structured hierarchy for your AWS accounts, enabling better governance and management. You can also add additional OUs in this landing zone.
After creating a foundational ou, now you have to setup that two shared accounts like adding account email and names for those accounts.
It is not mandatory that you only create new accounts, you can also include the existing accounts as log-archive and audit account.
Now we are in the final stage where you can add additional configurations where you can setup IAM identity center to manage access of your team.
You can enable or disable cloudtrail to monitor all account activities in the form of logs at a central s3 bucket.
Review all your changes and click setup landing zone.
And once it is done you can see 1 ou and 2 AWS accounts listed on the landing zone.
In this blog we saw how we can setup a landing zone to get started with AWS control tower. You can create different OUs and add domain specific AWS accounts in those OUs. It will help you to organise your accounts for faster account access and better management.
Other things you can do with control tower:
1: Create a new AWS account.
2: Add existing AWS account(accounts outside of landing zone)to the landing zone.
3: Remove any added AWS account from landing zone.